EEA Supplemental Website Privacy Statement 


SCOPE OF THIS SUPPLEMENTAL STATEMENT 

Qualys, Inc. ("Qualys", "we", "us", "our") provides to residents of the European Economic Area (EEA) this Supplemental 
Website Privacy Statement ("Supplemental Statement"), which supplements and localizes the Qualys Privacy Statement at 
http://www.qualys.com/company/privacy ("Statement") for EEA residents. 


Unless defined specifically in this Supplemental Statement, capitalized terms shall have the meaning set forth in the 
Statement. 


“Site” shall mean the public-facing website at Qualys.com. 


“Cloud Services” shall mean the services provided to Qualys’ customers (“Qualys’ Customer”) via a software-as —a- service 
model pursuant to a Master Cloud Services Agreement or a comparable agreement. 


“User” shall mean you when you are providing us personal information as a user of our Cloud Services on behalf of yourself 
or Qualys’ Customer. 


CONTROLLER, PROCESSOR AND EU REPRESENTATIVE 
Qualys, Inc., 919 E Hillsdale Blvd, 4th Floor, Foster City, CA 94404, USA, operates the Site and is the controller of any 


personal data collected or otherwise processed on or through the Site. Information on our representative in the EU is as 
follows: Qualys Technologies S.A., Maison de la Defense, 92400 Courbevoie, France, fdasilva@qualys.com. 


Qualys, Inc., 919 E Hillsdale Blvd, 4th Floor, Foster City, CA 94404, USA, operates the Site and is the processor of any 
personal data collected or otherwise processed on or through the Cloud Services by you as User. Information on our 
representative in the EU is as follows: Qualys Technologies S.A., Maison de la Defense, 92400 Courbevoie, France, 
fdasilva@qualys.com. 


PURPOSES AND LEGAL BASES FOR PROCESSING 


We process your personal data on several different legal bases, as follows: 


1. Based on necessity to enter into or perform a contract with you or Qualys’ Customer - we need to process your personal 
data to enter into an agreement with you or Qualys’ Customer, to perform contractual obligations including, without 
limitation, to respond to related questions and requests or provide customer support; 


2. Based on legitimate interests - we process personal data from you 


e forthe security and safety of the Site, the Cloud Services, our IT connected to the Site and Cloud Services, and the 
users of the Site; 


e to detect and prevent fraud; 
e to protect and defend the rights or property of others, or our own rights and interests; 


e to track your activities on the Site, provided you have not opted out of such data processing. Details about the web 
analytics and advertising solutions used on the Site can be found immediately below. 


e to track your activities on the Cloud Services to improve and facilitate our provision of the Cloud Services. Detailed 
information about the web analytics and advertising solutions used on the Site can be found immediately below. 
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Name and 
Provider of 
Solution 


Personal Data 
Processed by 
Solution 


Purpose of Solution 


Retention Period 
Applicable to 
Personal Data 


Your Choice 
Regarding the 
Solution 


Google Analytics by 
Google, Inc., 1600 
Amphitheatre 
Parkway, Mountain 
View, CA 94043, 
USA 


Information on your 
use of the Site 
and/or Cloud 
Services, including, 
without limitation, 
your IP address 


Evaluating your use 
of the Site , and/or 
Cloud Services 
compiling reports on 
website activity for us 
and providing other 
services relating to 
website activity, 
Cloud Services 
activity, and Internet 
usage to us 


Varies depending 
on usage 


You can prevent 
Google’s collection 
and use of your 
personal data by 
downloading and 
installing the 
browser plug-in 
available under 


https://tools.google. 
com/dlpage/gaoptou 
t?hl=en-GB 


In addition, you can 
prevent the use of 
Google Analytics 


In the latter case, an 
opt-out cookie will 
be set on your 
device, which 
prevents the future 
collection of your 
personal data when 
visiting this Site and 
Cloud Services. Be 
aware, however that 
the opt-out cookie 
will only be 
effective within the 
Internet browser you 
used to access the 
above link and only 
for as long as you do 
not delete the opt- 
out cookie. 


Pingdom 


Information on your 
use of the Site 
and/or Cloud 
Services, including, 
without limitation, 
your IP address 


Evaluating your use 
of the Site , and/or 
Cloud Services 
compiling reports on 
website activity for us 
and providing other 
services relating to 
website activity, 
Cloud Services 
activity, and Internet 
usage to us 


Varies depending 
on usage 


3. Based on compliance with legal obligations - we may need to process your personal data to comply with relevant laws, 


regulatory requirements and to respond to lawful requests, court orders, and legal process; 
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4. Based on your prior consent - for placing cookies on your device (subject to certain exceptions) or sending marketing 
communications to you. Detailed information on our use of cookies and our marketing communications to you are set 
forth immediately below. 


Cookies Used 


The Site and Cloud Services makes use of cookies. Cookies are small text files downloaded by your Internet browser and 
stored on the device you use to access the Site (e.g., your desktop computer, tablet or smartphone). Depending on their 
purpose, cookies log specific user-related information such as your user preferences, authentication information, security 
parameters, data concerning the device you access the Site with and statistical information regarding your use of the Site. 
Where necessary during your visit of the Site or Cloud Services or when revisiting the Site or Cloud Services, your 
Internet browser transmits the cookies including the contained information back to the servers they were initially 
downloaded from. The analysis and Processing of such information allows us to ensure the functionality of the Site and 
Cloud Services, improve your online experience and optimize the structure and content of the Site and Cloud Services. 


The cookies we use can be categorized as follows: 


Strictly Necessary Cookies These are cookies that are required for the operation of the Site or of certain 
parts thereof. They either serve the sole purpose of carrying out network 
transmissions or are strictly necessary in order for us to provide an online 
service explicitly requested by you. 


Analytical/Performance Cookies These cookies allow us to carry out web analytics or other forms of audience 
measuring such as recognizing and counting the number of visitors and seeing 
how visitors move around the Site. This helps us to improve the way the Site 
works, for example, by ensuring that users are easily finding what they are 
looking for. 


Functionality Cookies These cookies are used to recognize you when you return to the Site. This 
enables us to personalize our content for you, greet you by name and remember 
your preferences (for example, your choice of language or region). Loss of the 
information in these cookies may make our services less functional but would 
not prevent the Site from working. 


Targeting/Profiling Cookies These cookies record your visit to the Site and/or your use of the services, the 
pages you have visited and the links you have followed. We will use this 
information to make the Site and the advertising displayed on it more relevant 
to your interests. We may also share this information with third parties for this 


purpose. 


Demographic Information Cookies These cookies collect and retain limited demographic information such as date 
of birth and gender, if such information is provided by the user, which is tied to 
anonymous identifiers and may be referenced by the system for some tailored 
advertising. 


Cookies: A list of cookies used on the Site and in the Cloud Services: _https://www.qualys.com/company/privacy/cookies/ 
You may influence the scope and extent to which we use cookies when you visit our Site and Cloud Services. In particular, 
you may prevent cookies from being stored on your device by adjusting the respective settings on your Internet browser. 
However, please be aware that this might render certain functions of our Cloud Services more difficult to use. Depending on 
the Internet browser you use, you might also be able to specifically reject third-party cookies. In this context, please note, 
however, that third parties might still have access to your Personal Information to the extent that such information is logged 
by first-party cookies. 
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For more information on how to do so in the settings of your particular Internet browser, please see the following 
information. 


Internet Explorer: 
https://privacy.microsoft.com/en-us/internet-explorer-iel 1-preview-privacy-statement 


Chrome: 
https://www.google.com/intl/en/chrome/browser/privacy/ 


Firefox: 
https://support.mozilla.org/en-US/products/firefox/protect-your-privacy 


Safari: 
http://www.apple.com/privacy/manage-your-privacy/ 


Marketing Communications to You 


On the Site at the following link: https://(www.qualys.com/communication-preferences/ you can register to receive 
newsletters, event information or similar information on our products or services or the products or services of our 
affiliated companies. As part of the registration process, we ask you to provide us with certain mandatory information. 
Such information may include: name, email, company name, job title, company size, professional phone number, location 
of office. 


When receiving a registration, we log and store the date/time of registration the registration was received from. This 
solely serves evidentiary purposes your contact detailed are used by an unauthorized party. 


When registering to receive newsletters or similar information on the Site at https://www.qualys.com/communication- 
preferences/ you need to explicitly declare your consent in our processing of your personal data for this purpose. 


You are under no obligation to provide such consent and, if you choose to do so nonetheless, you may withdraw your 
consent at any time with future effect for any or no reason by following the unsubscribe link contained in any email 
communication to you or by sending us an email at privacy@qualys.com. 


RECIPIENTS OF YOUR PERSONAL DATA 


In the following circumstances, we disclose your personal data to the following third parties, as required or permitted by 
applicable law: 
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Who your Personal Data May Be Disclosed To? 


What Is the Purpose Underlying the Disclosure? 


Companies affiliated with Qualys, Inc. including: 
Qualys, Ltd 
100 Brook Drive 
Green Park 
Reading, Berkshire 
RG2 6UJ 
United Kingdom 


Qualys Technologies, SA 
Mainson de la Defense 
7 Place de la Defense 


Qualys GmbH 
Munchen airport — Terminalstr Mitte 18 


Qualys Netherlands, BV 
Trustmoor Netherlands B.V. 
Pins Hendriklaan 26 

1075 BD Amsterdam 

The Netherlands 


Qualys Security TechServices Private Ltd. 
10" and 11° floor, Panchshil Tech Park 
Plot No. 4, Survey No’s 1678-1683 
Ganesh Khind Road Shivaji Nagar 


To assist us in the operation or improvement of the 
Site and to enhance our products and services; to 
complete business administration of our 
relationship with Qualys’ Customers; to manage 
our marketing relationship with Qualys’ Customers 
and prospects; to respond to your requests for 
information or to apply for a job with Qualys. 


Third-party suppliers and service providers including: 


Marketo, Inc. 

901 Mariners Island Boulevard 
Suite #500 (Reception) 

San Mateo, CA 94404 


Oracle Corporation 
500 Oracle Parkway 
Redwood Shores, CA 94065 


Salesforce.com, Inc. 

The Landmark at One Market 
Suite 300 

San Francisco, CA 94105 


Docusign Inc. 


221 Main St., 
Suite 1000 
San Francisco, CA 94105 


Salesloft 
1180 West Peachtree Street NW 


To assist us in the operation or improvement of the 
Site and to enhance our products and services; to 
complete business administration of our 
relationship with Qualys’ Customers; to manage 
our marketing relationship with Qualys’ Customers 
and prospects; to respond to your requests for 
information or to apply for a job with Qualys. 
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Suite 600 
Atlanta, GA 30309 


Ringlead 
200 Broadhollow Road 
Melville, NY 11747 USA 


Box 
900 Jefferson Avenue 
Redwood City, CA 94063 


Merchant e-Solutions Inc. 

c/o Privacy Officer 

3475 Lenox Rd NE, Suite 500 
Atlanta, GA 30342 


Adobe Acrobat 
345 Park Avenue 
San Jose, CA 95110 


Google for Gmail and Google Analytics 
1600 Amphitheatre Parkway 
Mountain View, CA, 94043. 


SolarWinds for Pingdom 


7171 Southwest Parkway 
Bldg 400 
Austin, Texas 78735 


Jobvite 


1300 S El Camino Real, 400 
San Mateo, CA 94402 


To other third parties in line with applicable legal requirements To comply with legal obligations that we are 
(where applicable) subject to; 


DATA TRANSFERS TO RECIPIENTS OUTSIDE OF THE EU/EEA 


Our headquarters, many of our data centers, and many of our affiliated companies and third-party service providers are 
located in the United States, which is subject to an adequacy decision by the EU Commission. According to the EU 
Commission, companies that self-certify under the EU-U.S. Privacy Shield program are subject to an adequate level of data 
protection. Qualys has self-certified under the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Framework 
program. For more information, please see here: https://www.privacyshield. gov. 


To ensure an adequate level of protection of your personal data also with respect to affiliated and unaffiliated service 
providers outside the United States and EEA, we enter into data processing and data transfer agreements that incorporate the 


773863-v1\PALDMS 


Standard Contractual Clauses approved by the EU Commission and our Technical and Operational Measures. You can ask 
for a copy of such Technical and Operational Measures by contacting Privacy@Qualys.com. 


HOW LONG WE KEEP YOUR PERSONAL DATA 


We have implemented appropriate retention periods for your personal data collected or otherwise processed on or through the 
Site as set forth in our records management policy. Personal data processed in the context of a contract with you will be 
retained by us for the term of the contract and for a reasonable time afterwards as might be required to determine and settle 
any related claims. Where our processing of your personal data is based on legitimate interests or the compliance with legal 
obligations, it will be deleted as soon as the underlying purpose has expired. Personal data processed based on your consent 
will be deleted if and when you withdraw such consent. 


YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA 


Subject to the conditions set out in the applicable law, you have, without limitation, the rights to (i) inquire whether and what 
kind of personal data we hold about you and how it is processed, and to access or request copies of such personal data, 

(ii) request the correction or supplementation of personal data about you that is inaccurate, incomplete or out-of-date in light 
of the purposes underlying the processing, or to (iii) obtain the erasure of personal data no longer necessary for the purposes 
underlying the processing, processed based on withdrawn consent, processed for legitimate interests that, in the context of 
your objection, do not prove to be compelling, or processed in non-compliance with applicable legal requirements. In 
addition, you have, subject to the conditions set out in the applicable law and without limitation, the rights to (iv) request us 
to restrict the processing of personal data in certain situations where you feel its processing is inappropriate, (v) object, in 
certain circumstances, to the processing of personal data for legitimate interests, and to (vi) request portability of personal 
data that you have actively or passively provided to us (which does not include data derived or inferred from the collected 
data), where the processing of such personal Data is based on consent or a contract with you and is carried out by automated 
means. In case of concerns, you also have the right to lodge a complaint with the competent local data protection authority. 


You may exercise the above mentioned rights of access, rectification, erasure, restriction, objection and data portability by 
contacting us under privacy@Qualys.com even to the extent that such claims relate to the processing of personal data by one 
or more of the data recipients identified in this privacy statement. Please note that if the personal information that you are 
inquiring about is within the Cloud Services based on your use as a User, then Qualys will have to forward your inquiry to 
the Qualys’ Customer that controls the personal data within that subscription. 


EFFECTIVE DATE AND CHANGES 
This Supplemental Statement is effective May 25, 2018. We may make changes, including material changes, to this 
Supplemental Statement from time to time. You should review the Supplemental Statement each time you visit our Site to 


learn of any changes. 


If you have questions about this Supplemental Statement, please contact us at Privacy@Qualys.com 
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